Carberp: Quietly replacing Zeus as the financial malware of choice

Zeus ushered in a new era of malware, but it's slowly losing its effectiveness. Don't celebrate just yet; Zeus's heir apparent, Carberp is ready to take over.

Financial malware like Zeus provide a significant ROI for the bad guys. Just ask fellow IT security writer Brian Krebs, who tirelessly reports on how much damage ZeuS has caused. I even added my two cents about Zeus and its successes.

What is financial malware?

Automated Clearing House (ACH) transactions and Electronic Fund Transfers (EFT) are the main focus of financial malware. The malcode tries to steal login and accounting information, allowing it to transfer the victim's money to bank accounts of the attacker's choice through the use of EFT.

Security experts focused on financial malware explain there are two types of attacks.

General attacks: This class of malware is designed to steal user-login information for any SSL session, not just banking sites. For example, attackers also gather credentials for web-based email and social-network sites like Facebook, using the following steps:

The user browses to the web site's login page.

The user next inserts the appropriate login information and hits enter.

The malware sends the stolen information back to the attacker's command and control server, usually over HTTP.

The user, none the wiser, is then logged into the account.

The attacker then can gain access to the account and transfer money at will.

General attacks are used against financial institutions that do not use multi-factor authentication.

Targeted attack: This type of attack made Zeus famous. The attacker builds configurations files for specific online-financial institutions. These files are used to instigate what is called a Man-in-the-Browser (MitB) attack, a method where the configuration file delivers a fake web page to the web browser. Here are the steps:

The victim enters the URL for the bank's web site.

The bank's web server attempts to download the login web page.

At the same time, the malcode is checking its configuration files for a matching URL. If it's found, the attacker's replica web page is injected.

The victim then enters the appropriate login credentials, which are sent to the attacker's command and control server.

If sophisticated enough, the targeted attack could also manipulate the victim's transactions, sending money to one of the attacker's bank accounts.

Enter Carberp

As I alluded to earlier, bad guys know any public exposure is not in their best interest. So, with Zeus becoming a household word and the recent arrests, they know it's time to move on. Meet Carberp, a relatively unknown financial malware. Where do they get these names?

Carberp has the capacity to use both general and targeted attacks. It also has new capabilities, making it deadlier than Zeus. The following are some of the new features found in Carberp:

Carberp does not require admin rights to run; it resides in memory.

It's capable of infecting Windows XP, Windows Vista, and Windows 7.

It's designed to control all Internet traffic, including HTTPS using EV-SSL.

Stolen data is transmitted to command and control servers before it's sent to the financial web site. That negates any advantage of using one-time passwords.

It's scary, knowing Carberp can run without admin rights. It also means Carberp must reactivate itself after a system restart. It accomplishes this by copying the required process to the startup section of the currently logged-in user.

Normally, that would make a file easy to find. But, Carberp's executable chkntfs.exe is hidden. It can't be found with Windows Explorer or by using the command line.

Thankfully, the way Carberp hides is also its Achilles Heel (I'll explain later).

Carberp removes other malware

At first, I thought malware designed to disable antivirus applications and other malcode was the malware author's ego kicking in. But, in the case of financial malware, there is a valid reason.

Targets of financial malware likely interest more than one attacker. If the login information is used by multiple criminals, it would become obvious to the victim and bank that something was amiss. Besides, criminals don't like other criminals stealing from them.

Protective measures

As for Carberp's Achilles Heel, applications like WinPatrol and Process Explorer should indicate the presence of a foreign hidden process. I have asked Bill Pytlovany, the developer of WinPatrol for suggestions on what we should pay attention to.

A common thread with all financial malware is the copying of the victim's username and password. I do not have enough details about Carberp to explicitly say that an anti-keylogger program will help. But, it seems logical that anti-keylogger applications would be useful against the general attack format.

My anti-keylogger program of choice is KeyScrambler. I consider it valuable insurance against financial malware and other keylogging attacks. I also have asked QFX Software for their opinion on whether KeyScrambler defeats financial malware.

I just read an article by FireEye that describes a new financial malware that focuses on MitB and subverting web pages. Here is what FireEye says:
1. Bot herders can supply a list of URLs (mostly of banking sites) so that the malware can start intercepting these web pages. What this means is that whenever a user tries to visit these web sites, the malware will start submitting the web form data back to its CnC. These web forms and the data inside them will be intercepted well before its gets encapsulated into HTTPS. All the information including login credentials will be in hands of bot herders in plain text.
2. It's fully capable of Man in the Browser (MITB) attacks. This means that it can intercept original web contents coming from legitimate servers in order to append its own crafted HTML. This is normally done to ask the user for more information than was originally requested by the actual server, like your PIN numbers, Social Security number etc.
3. It can also steal HTML pages from your browsing sessions. Sound strange? Well for any successful MITB attack, the attacker needs to know about the HTML being served by the legitimate server. Just imagine an attacker wants to modify HTML pages for the Wells Fargo "Add New Payee" web page. Unless the attacker himself has an account with Wells Fargo, he may not know the contents of this page. By stealing this private page while a legitimate user is browsing to it, the attacker is in a perfect position to prepare his future MITB attack.
Feodo is the first one to really focus on this aspect. FireEye also mentions how surprised they are and number of target URLs that is in the configuration files of Feodo.
http://blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html

Prevx supposedly blocks all screen and keyboard sharing with the user. It is a lot more seamless than Snoopfree because it works deeper in the kernel space; from what I read on their web site. You don't have to believe them, but I'm seeing supported data more and more from other IT folks on security forums. So maybe it really does put a "bubble" around the browser. I think it works with Mozilla, IE8, Chrome, and maybe two other browsers.
So far it will even block me from accessing certain keyboard attempts at logging. I give it permission if I instituted the action.
I can't prove it blocks SSL session riding, but many banks are signing on to it, or Rapport - another session riding blocker.
I'm willing to experiment with my own situation, it is worth it to see if the malware can get away with it. I access only one account online, and lock away any other, and never access them with a PC. It seems the only way to really be sure my clients are safe, is to experiment with my own finances. Needless to say, I watch that little account like a hawk!
I have no vested interest with Prevx; the online protection is free to FaceBook users so far.
I will have to try the long venerated WinPatrol. I mistakenly thought it was just another anti-spy utility like Spybot or AdAware. It has to be one of the oldest applications out there! I seem to remember it back in the Win 3.1 days of DOS!!

Imagine what they could accomplish.
This is a rather interesting and apparently sophisticated malware suite. I'm interested to see the "in-depth report", but I am unsure whether I would "qualify" to view such a thing. I suspect it is put behind an email wall for a reason.
I would also very much like to see what the back end looks like. I wonder how long it will be until someone gets a copy of that to display. (Dancho Danchev always seems like a good bet for such things.)

doesn't tip you off at all. If it did, I'd think LastPass wouldn't respond to it. I had one instance where I followed the wrong link to one of my sites, and despite the page looking the same, the plug-in had no selection ready for it.
It is getting to be where internet banking will fail if this gets any worse!
I also got to wonder haw my certificate sensors like Prevx and Comodo's Verification Engine, whould parse such a fake site. Perhaps any certificate with any ID can be faked?

In fact most anti-malware apps register it as a ZeuS variant.
I presented the information I found after several weeks of research. I could have waited longer, but I felt it important to get the word out to the members.
Mr. Danchev definitely is an SME and will be able to provide more details.

Bank of America uses a two part login - the home page is https and you enter your user name first. Then a new page appears showing a graphic you selected (you can even upload your own graphic file it you want). If you recognize the graphic, you go ahead and enter your password.
I believe this would be hard -very hard- to defeat since the attacker would have no way of knowing what your graphic image was so they would have no way of loading a fake page to trick you.
Would you agree?

with Snoopfree, which is supposedly obsolete; and ol' Snoopy won, every time. I've noticed there are several un-compatible programs that I'm told run in that space.
Defence+ -which is a Comodo Firewall feature, that has a kick ass HIPS that watches all file manipulation, and has a white-list against most popular applications, and a sandbox for untrusted processes.
SnoopFree Privacy Shield - which only blocks keyboard and video "hooks". I assume it does this at the start of the application level.
Prevx- as explained before, but supposedly doesn't rely on process hooks to monitor the keyboard and video, and runs just below the application area in the kernel space. Rapport does the same as far as session riding prevention. Both may have processes running in RAM, but all of them act to me like a root kit. They get real unstable while something is messing with them, and if you try to run more than one in the same machine, you can get boot loops, blue screens, etc.
Even root kits run things in memory, what would be wrong with that? I mean in the context of fighting fire with fire? ?:|
My scenario would go like this:
1. The user browses to the web site?s login page.
2. The user next inserts the appropriate login information and hits enter.(LastPass would do this encrypted from the cloud)
3. The financial malware intercepts the login POST request, obtaining the login user-name and password before it?s encrypted.
(Prevx denies any transmission from the browser except to the originating source)
The following in italics would be foiled - supposedly.
[i]4. The malware sends the stolen information back to the attacker?s command and control server, usually over HTTP.
5. The user, none the wiser, is then logged into the account.
6. The attacker then can gain access to the account and transfer money at will.[/i]
7. General attacks are used against financial institutions that do not use multi-factor authentication.

This seems like a good opportunity for banks or someone in the open source community to create a Financial Linux variant just for online transactions. Something that is very locked down and can only perform that function. In the mean time Live CD's will have to be used.

A 2 part login is better than nothing but it would not protect you from a man-in-the-browser attack. If your browser is, in effect, a "bad guy", it just waits until you login, no matter how that happens, and then modifies data coming and going between you and your bank.
For example, the web page you see may say that you have X dollars in your account, but that was not the balance in your account when the bank web site sent the page to you. The malware in the browser can modify web pages before displaying them.
Boot to Linux for online banking.

This is why an in depth defense is the only way to go. I feel session riding and keyboard/screen capture defenses are more important. So I don't install Defense+. On clients that trust it, and don't like the other utilities, I do install it.

...but as I've intentionally gone to find malware to test machines with on numerous occasions, that shouldn't be a surprise. Not to mention all the malware I've been exposed to on at what must be the least secure set of networks ever assembled.

for now. I've talked at length with Linux users who claim to be in the know, and they say Linux is not invulnerable to this kind of attack. It may never happen, but none-the-less.
You also have to remember - the new Linux users are just as clueless as the newbie Windows and OSX users. All of which still get into trouble.

Thanks for the tip. Offered for free at Facebook.. ..how I laughed.
Oh KERNELS, thank you also for reminding me of how busy the Linux machine to my right has been with updates, particularly to the kernel. I don't see much squawking about that in the jungle, and I honestly wonder why.

that I linked to. It is pretty deep, even for me. They make a bald faced challenge to Zeus and its variants! That being Prevx, not LastPass of course.
I mentioned LastPass because some malware are not as sophisticated, and rely on keyboard signals and other browser or video activity to grab the customer's data. Where as LastPass provides it encrypted until the point of form entry.
I repeat the link here: http://pxnowa.prevx.com/zerol/immunity.pdf

I am not good at interpretation of the file manipulations going on, and I'm not sure session riding would be prevented.
However Prevx is the only product that makes a bald faced challenge to Zues and its variants.
They intercept the browser attack at the kernel layer.
This isn't the only thing it does, but I consider it more important for newbies; especially ones that frequent FaceBook, where it is offered for free.
If it really works, I hope the Banks adopt it soon, as they claim to make it cheap enough the banks could offer their locked down service for customers for free.

Thank you for confirming my suspicions that there is little alternative but for defence in depth.
I used to use the Diamond CS HIPs, which was like a Rottweiler, plus also Regprot. Then I moved on, but always to things that work better. My impression of the Comodo package is that in 'safe mode' it is less overtly aggressive than before; newly saved installers do not come under 'safe'; I found both the portable and installed versions of Firefox did not elicit a response from it in safe mode. Today it crashed 4 x, so I'm looking for an alternative.

Thank you for confirming my suspicions that there is little alternative but for defence in depth.
I used to use the Diamond CS HIPs, which was akin to a Rottweiler, plus also Regprot. Then I moved on, but always to things that work better. My impression of the Comodo package is that in 'safe mode' it is less overtly aggressive than before; newly saved installers do not come under 'safe'; I found both the portable and installed versions of Firefox did not elicit a response from it in safe mode. I'm looking for an alternative.

that looks at any file. I don't think it uses black lists; it may have a behavioral black list though(I stand corrected then).It will identify it, but it can't always match it with the white list; so it alerts anytime a file known or not is changed.
Maybe I'm clear off track, but Maverick Phantom pointed to some of what I understand goes on with it. Comodo is constantly upgrading it, and I keep pretty busy, just trying to keep up with all the new features it has.
Then again, maybe I'm all wet on just how a HIPs works it the first place.

that morphing would not help the malware, because Defense + is geared for just that. If a file changes at all, Defense + will alert the user.
Trouble is - I'd probably OK the change if a Google search was non-indicative of a problem.
Not being totally aware of the file habits of Vista/Win7 can be a hindrance. On XP - I might just make it.

The report was written in 2009. Zeus and its variants switched to residing in memory only early in 2010. So the report is behind as it does not mention anything about that.
What part does not make sense?

On Comodo's Defense+ it generally checks files before they load to memory (and after they load to memory (and even after that sometimes)).
It also has cloud based behavior analysis of said files (not sure how well that works), and detects several other things (though again, I'm not sure how well it works).

That report was written in early 2009. That was before ZeuS was residing only in memory.
A report written by the vendor has little value other than advertising. If NSS Labs reported that , then I would listen.

if the HIPs in Comodo Firewall Defense+, or Kaspersky, or even GDATA couldn't detect the file manipulating ways of any Zues variant.
I've used GDATA a little and it seems pretty wise to the ways of the Windows operating system(XP).
So far, all of them seem invulnerable to sabotage by the malware. Prevx is supposed to work while the system is infected with such malware.